[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: RADIUS-Mobile IP support??: RADEXT WG Charter
I think you got it wrong. The MN-HA shared secrets are not dynamically
generated in the HAAA. At least I don't know of such a text in 3GPP2
standard.
I think what we are discussing is purely key distribution issues. So, why
don't we start the discussion about the need for a key distribution
mechanism with RADIUS and see whether RADEXT can accommodate that?
-Kuntal
>-----Original Message-----
>From: Nakhjiri Madjid-MNAKHJI1 [mailto:Madjid.Nakhjiri@motorola.com]
>Sent: Thursday, May 20, 2004 9:30 AM
>To: Chowdhury, Kuntal [RICH1:2H18:EXCH]; Charles E. Perkins;
>Nakhjiri Madjid-MNAKHJI1
>Cc: radiusext@ops.ietf.org; Pete McCann; tom.hiller@lucent.com
>Subject: RE: RADIUS-Mobile IP support??: RADEXT WG Charter
>
>
>Kuntal,
>
>As far as I understood, the secrets are hashed with MN-AAA keys.
>Any key distribution method that happens on-line has to be
>done this way. Also the secrets are only needed for the
>duration of Mobile's visit to the foreign network. How is that
>more long lived than a key established during IKE?
>
>Madjid
>
>-----Original Message-----
>From: Kuntal Chowdhury [mailto:chowdury@nortelnetworks.com]
>Sent: Wednesday, May 19, 2004 5:18 PM
>To: Charles E. Perkins; Nakhjiri Madjid-MNAKHJI1
>Cc: radiusext@ops.ietf.org; Pete McCann; tom.hiller@lucent.com
>Subject: RE: RADIUS-Mobile IP support??: RADEXT WG Charter
>
>
>Charlie,
>
>sending a users (static or long lived) shared-secret over the
>wire opens up for attacks. If the MN-HA shared secret is
>compromised, MIP4 will run into serious security issue. That's
>why it is a bad idea.
>
>-Kuntal
>
>>-----Original Message-----
>>From: Charles E. Perkins [mailto:charliep@iprg.nokia.com]
>>Sent: Wednesday, May 19, 2004 5:11 PM
>>To: Nakhjiri Madjid-MNAKHJI1
>>Cc: Chowdhury, Kuntal [RICH1:2H18:EXCH];
>>radiusext@ops.ietf.org; Pete McCann; tom.hiller@lucent.com
>>Subject: RE: RADIUS-Mobile IP support??: RADEXT WG Charter
>>
>>
>>
>>Hello folks,
>>
>>Since I'm receiving these e-mails, perhaps someone could enlighten me:
>>
>>>2. The distribution of MN-HA shared-secret to the HA (from
>>HAAAs) is a
>>>bad practice. We are not doing that for MIP6 and we may fix that in a
>>>bug fix release for MIP4.
>>>
>>>
>>Why is this a bad idea?
>>
>>I thought it was pretty good, actually...
>>
>>
>>Regards,
>>Charlie P.
>>
>
>--
>to unsubscribe send a message to
>radiusext-request@ops.ietf.org with the word 'unsubscribe' in
>a single line as the message text body.
>archive: <http://psg.com/lists/radiusext/>
>
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>